[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: kent@xxxxxxx
Subject: Re: Basic Cert-2-Directory mapping question
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Tue, 9 Jan 2001 20:35:17 (NZDT)
Cc: ietf-pkix@xxxxxxx
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: pgut001@xxxxxxxxxxxxxxxxx

Stephen Kent <kent@xxxxxxx> writes:
 
>I think your analysis shows that we have a lot of folks playing CA who are 
>not "qualified" to do so.  
 
            (Wibbly-wobbly effect, fade to shot of John Cleese being turned on 
             a spit by some nuns)
JOHN CLEESE:     And now for something completely different...
            (Fairly empty generic modern room.  End entity being rushed into 
             the room on a dolly.  PKI architects are flipping through 
             standards documents)
PKI ARCHITECT 1: commonName qualified with a serialNumber in the same RDN!
PKI ARCHITECT 2: firstName + surname + generationQualifier (if required) + 
                 dnQualifier!
            (Sysadmin enters and interrupts them)
SYSADMIN:        The end entity is ready.
PKI ARCHITECT 1: Good, take her into the PKI frightening room.
SYSADMIN:        Right.
PKI ARCHITECT 2: I say, it's a bit barren in here isn't it?
PKI ARCHITECT 1: Yes, more junk please sysadmin.  The smart cards, the 
                 Safekeyper, and the biometrics.
SYSADMIN:        Yes, most certainly.
PKI ARCHITECT 1: And get the machine that issues certificates!
            (Sysadmin wheels in a cart containing a PC which has "Intel 
             Inside" and "Designed for Microsoft Windows" stickers on it)
END ENTITY:      What's that for?
PKI ARCHITECT 1: That's the machine that issues certificates
            (Machine goes PING and pops up a "Save certificate as..." dialog)
PKI ARCHITECT 1: You see, that means the end entity has been certified!
PKI ARCHITECT 2: And that is the most expensive machine in the whole building!
PKI ARCHITECT 1: Yes, it cost over three quarters of a million pounds.
PKI ARCHITECT 2: Aren't you lucky?!
SYSADMIN:        The CEO is here doctor.
PKI ARCHITECT 1: Switch everything on!
            (Bleep... whirrr... bing... rumble rumble)
CEO:             Ah very impressive, very impressive, and what are you doing 
                 this morning?
PKI ARCHITECT 2: It is a certification.
CEO:             Ahhh,.. and what sort of thing is that?
PKI ARCHITECT 2: Well, that's where we certify uncontestably and undeniably 
                 that someone we've never met before who lives on the other 
                 side of the planet and who we know only as a (possibly 
                 forged) email address really is who they claim to be and can 
                 be trusted to write good cheques, buy alcohol, sign 
                 contracts, and run a dot-com selling PKI services.
CEO:             Wonderful what you can do nowadays. (PING)  Ahh, I see that 
                 you have the machine that issues certificates.  This is my 
                 favorite.  You see we leased it back from the company we sold 
                 it to and that way it comes out of the monthly current budget 
                 and not the capital account.
            (Applause)
                 Thank you, thank you, we try to do our best, well do carry 
                 on.  
            (CEO leaves)
PKI ARCHITECT 1: Lovely, lovely, jolly good, that's better, much much better.
PKI ARCHITECT 2: Yes, that's more like it.
PKI ARCHITECT 1: Uhh... still something missing though.
PKI ARCHITECT 1+2:END ENTITY!
PKI ARCHITECT 2: Yes, where's the end entity?
PKI ARCHITECT 1: Anyone seen the end entity?
SYSADMIN:        Ahhh... here she is!
PKI ARCHITECT 1: Bring her over here.
PKI ARCHITECT 2: Mind the machine.
PKI ARCHITECT 1: Hello, now don't you worry.
PKI ARCHITECT 2: We'll soon have you certified!
PKI ARCHITECT 1: Leave it all to us, you'll never know what hit you.
END ENTITY:      Will it be a nonRepudiation certificate?
PKI ARCHITECT 1: Now I think it's a little early to start imposing roles on it,
                 don't you?  Now a word of advice, you may find that you 
                 suffer for some time a totally irrational feeling of 
                 depression, PKID as we call it.  So, it's lots of happy pills 
                 for you and you can find out all about the certification when 
                 you get home.  It's available on Betamax, VHS, and Super-8.
            (Reporters and photographers enter the PKI frightening room)
PKI ARCHITECT 1: Who are you?
NOTARY PUBLIC:   I am the end entity's notary public.
PKI ARCHITECT 1: I am sorry, only people involved are allowed in here.
END ENTITY:      What do I do?
PKI ARCHITECT 2: Yes?
END ENTITY:      What do I Do?
PKI ARCHITECT 2: Nothing dear, you're not "qualified"!
            (Machine that issues certificates blue screens, camera zooms in to 
             reveal text that says "And now for something completely 
             different...")

Peter :-).

Prev by Date: Re: Basic Cert-2-Directory mapping question
Next by Date: Re: WG Last Call, PKI Repository Locator
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread